CVE-2019-10384 - Vulnerability Details

CVE-2019-10384 - jenkins: CSRF protection tokens for anonymous users did not expire in some circumstances (SECURITY-1491)

Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to obtain CSRF tokens without an associated web session ID, resulting in CSRF tokens that did not expire and could be used to bypass CSRF protection for the anonymous user.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Jenkins	Jenkins
Oracle	Communications Cloud Native Core Automated Test Suite
Redhat	Openshift Openshift Container Platform

Configuration 1 [-]

OR	cpe:2.3:a:jenkins:jenkins:::::lts:::*
	cpe:2.3:a:jenkins:jenkins::::::::

Configuration 2 [-]

cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:a:redhat:openshift_container_platform:3.11:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.1:::::::*

Package	CPE	Advisory	Released Date
Red Hat OpenShift Container Platform 3.11
jenkins-0:2.176.3.1569349414-1.el7	cpe:/a:redhat:openshift:3.11::el7	RHSA-2019:3144	2019-10-18T00:00:00Z
Red Hat OpenShift Container Platform 4.1
jenkins-0:2.176.3.1568229898-1.el7	cpe:/a:redhat:openshift:4.1::el7	RHSA-2019:2789	2019-09-20T00:00:00Z

References

Link	Providers
http://www.openwall.com/lists/oss-security/2019/08/28/4
https://access.redhat.com/errata/RHSA-2019:2789
https://access.redhat.com/errata/RHSA-2019:3144
https://jenkins.io/security/advisory/2019-08-28/#SECURITY-1491
https://nvd.nist.gov/vuln/detail/CVE-2019-10384
https://www.cve.org/CVERecord?id=CVE-2019-10384
https://www.oracle.com/security-alerts/cpuapr2022.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: jenkins

Published: 2019-08-28T15:30:17

Updated: 2024-08-04T22:17:20.571Z

Reserved: 2019-03-29T00:00:00

Link: CVE-2019-10384

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-08-28T16:15:10.983

Modified: 2024-11-21T04:19:01.147

Link: CVE-2019-10384

Redhat

Severity : Important

Publid Date: 2019-08-28T00:00:00Z

Links: CVE-2019-10384 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object